This Business Associate Agreement (this “BAA” or “Agreement”) is entered into as of the date of last electronic execution below (the “Effective Date”), by and between:

BreakoutConnect LLC, a Florida limited liability company, with its principal mailing address at PO Box 345, Sanford, FL 32772, operating the Breakout Connect SaaS platform at breakoutconnect.live.

Parent Company: Inspired Technical Management LLC, a Florida limited liability company.

Subsidiaries and Affiliates: Any current or future subsidiaries, affiliates, or related entities of BreakoutConnect LLC or Inspired Technical Management LLC that may provide services under or benefit from this Agreement.

BreakoutConnect LLC, together with its parent company, subsidiaries, and affiliates, is hereinafter referred to as “Breakout Connect,” “Platform Provider,” or “BC.”

The entity identified in the Electronic Signature Block below (hereinafter referred to as “Counterparty,” “Client,” or “You”).

Breakout Connect and Counterparty may each be referred to individually as a “Party” and collectively as the “Parties.”

WHEREAS, the Parties have entered into, or intend to enter into, a services agreement, subscription agreement, or similar arrangement (the “Underlying Agreement”) pursuant to which one Party may provide services to the other that involve the creation, receipt, maintenance, transmission, use, or disclosure of Protected Health Information (“PHI”) as defined under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), Title XIII of the American Recovery and Reinvestment Act, Public Law 111-5, and their implementing regulations at 45 C.F.R. Parts 160 and 164 (collectively, the “HIPAA Rules”);

WHEREAS, the Breakout Connect platform is a cloud-based SaaS application for audiovisual and live event production management, through which presentations, files, and other materials containing PHI—including patient data, clinical images, case studies, and de-identified or identifiable health information—may be uploaded, stored, transmitted, displayed, or synchronized to local desktop clients in connection with medical conferences, healthcare symposia, continuing medical education (CME) events, and related activities;

WHEREAS, the Parties acknowledge that AV production personnel, event coordinators, room leads, and technical crew may have incidental or direct access to PHI displayed on screens, in presentation files, or through the platform’s file synchronization and review features during the production of healthcare events;

WHEREAS, either Party may function as a Covered Entity or a Business Associate depending on the service relationship, and this Agreement applies bidirectionally;

NOW, THEREFORE, in consideration of the mutual promises and covenants set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

All capitalized terms used but not otherwise defined herein shall have the meanings ascribed to them under the HIPAA Rules. Key definitions:

1.1 “Breach” shall have the meaning given under 45 C.F.R. § 164.402.

1.2 “Business Associate” shall mean the Party that creates, receives, maintains, or transmits PHI on behalf of the other Party. Either Breakout Connect or Counterparty may serve as Business Associate depending on the service relationship.

1.3 “Covered Entity” shall mean the Party that engages the other to perform functions involving PHI on its behalf.

1.4 “Designated Record Set” shall have the meaning given under 45 C.F.R. § 164.501.

1.5 “De-Identified Information” shall mean health information de-identified per 45 C.F.R. § 164.514(a) and (b), using the Safe Harbor method (removal of all 18 enumerated identifiers) or Expert Determination method.

1.6 “Desktop Sync Client” shall mean the Breakout Connect desktop application installed on local computers at event venues for live event production file synchronization.

1.7 “ePHI” shall mean any PHI created, received, maintained, or transmitted in electronic form through the platform, its Desktop Sync Client, or any connected service.

1.8 “HIPAA Compliance Mode” shall mean the enhanced security mode activated within the platform when the HIPAA Compliance toggle is enabled for an event, triggering mandatory file review, audit logging, remote data destruction capabilities, and IP address tracking.

1.9 “Individual” shall have the meaning given under 45 C.F.R. § 160.103, including personal representatives per 45 C.F.R. § 164.502(g).

1.10 “PHI” shall have the meaning given under 45 C.F.R. § 160.103, and specifically includes patient data, clinical images, case studies, and any individually identifiable health information contained within materials on the platform.

1.11 “Safe Harbor Identifiers” shall mean the 18 categories of identifiers enumerated in 45 C.F.R. § 164.514(b)(2)(i).

1.12 “Security Incident” shall have the meaning given under 45 C.F.R. § 164.304.

1.13 “Subcontractor” shall mean a person to whom a Business Associate delegates a function involving PHI, other than a workforce member.

1.14 “Unsecured PHI” shall have the meaning given under 45 C.F.R. § 164.402.

2.1 Flexible Role Assignment. Either Party may function as the Covered Entity or Business Associate depending on the service relationship.

2.2 Upstream Relationship. When Counterparty engages Breakout Connect to provide platform services involving PHI, Counterparty is deemed the Covered Entity and Breakout Connect the Business Associate.

2.3 Downstream Relationship. When Breakout Connect engages Counterparty for AV production, staffing, or services requiring access to PHI held by Breakout Connect, Breakout Connect is deemed the Covered Entity and Counterparty the Business Associate.

2.4 Simultaneous Roles. Both Parties may simultaneously serve as Business Associates to one or more Covered Entities, in which case both independently comply with all BA obligations.

The Party serving as Business Associate shall:

3.1 Permitted Uses. Not use or disclose PHI except as permitted by this Agreement, the Underlying Agreement, or as Required by Law.

3.2 Minimum Necessary. Limit PHI use to the minimum necessary per 45 C.F.R. § 164.502(b). AV personnel receive access only to rooms and files necessary for their duties.

3.3 Safeguards. Implement administrative, physical, and technical safeguards per Subpart C of 45 C.F.R. Part 164, including: AES-256-GCM encryption at rest; TLS 1.2+ in transit; role-based access controls; MFA for privileged access; periodic risk assessments; designated Security and Privacy Officers; and documented workforce HIPAA training with attestation records retained for the employment duration plus six (6) years.

3.4 Subcontractors. Ensure all Subcontractors agree in writing to identical restrictions per 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.504(e)(2)(ii)(D). The Business Associate remains liable for Subcontractor acts or omissions.

3.5 Access to PHI. Provide PHI in Designated Record Sets within fifteen (15) business days per 45 C.F.R. § 164.524.

3.6 Amendment. Incorporate PHI amendments within fifteen (15) business days per 45 C.F.R. § 164.526.

3.7 Accounting of Disclosures. Maintain and provide accounting within thirty (30) days per 45 C.F.R. § 164.528. Records retained six (6) years.

3.8 Government Access. Make records available to the Secretary of HHS for compliance determination.

3.9 Mitigation. Take reasonable steps to mitigate harmful effects of unauthorized PHI use or disclosure.

3.10 Restrictions. Comply with PHI use restrictions under 45 C.F.R. § 164.522 upon written notice from the Covered Entity.

3.11 No Sale of PHI. Shall not sell PHI per 42 U.S.C. § 17935(d) without prior Individual authorization.

3.12 No Marketing. Shall not use PHI for marketing per 45 C.F.R. § 164.501 without prior Individual authorization.

4.1 Notification. Report any Breach, Security Incident, or unauthorized use/disclosure within seventy-two (72) hours of discovery.

4.2 Content. Include: affected Individual identification; description of events and dates; types of PHI involved; recommended protective steps; investigation and mitigation efforts; and identity of persons involved.

4.3 Florida FIPA. Cooperate to provide notification per Fla. Stat. § 501.171: (a) notify affected Florida residents within 30 days; (b) if 500+ residents affected, notify the Florida Department of Legal Affairs within 30 days; (c) if 1,000+ residents affected, notify consumer reporting agencies within 30 days.

4.4 Updates. Supplement breach information within ten (10) business days as additional facts emerge.

4.5 Breach Costs. If a Breach is caused solely by the Business Associate’s failure to comply with this Agreement, the Business Associate bears reasonable costs of: notification; twelve (12) months of credit monitoring; investigation and forensics; regulatory reporting; and the Covered Entity’s reasonable attorney’s fees directly related to the Breach.

4.6 Risk Assessment. Conduct and document a risk assessment per 45 C.F.R. § 164.402(2) and share results with the Covered Entity.

4.7 Aggregate Security Incident Reporting. The Parties acknowledge that unsuccessful security incidents (port scans, unsuccessful logon attempts, denial-of-service attacks that do not result in unauthorized access) occur routinely. The Business Associate’s obligation to report Security Incidents shall be satisfied by providing aggregate reports of unsuccessful incidents on a quarterly basis, or more frequently upon reasonable request.

5.1 Notice of Privacy Practices. Notify the Business Associate of any limitations in its Notice of Privacy Practices under 45 C.F.R. § 164.520 that may affect PHI use.

5.2 Changes in Permission. Notify the Business Associate of any changes in Individual permission to use or disclose PHI.

5.3 Restrictions. Notify the Business Associate in writing of any PHI restrictions under 45 C.F.R. § 164.522.

5.4 Permissible Requests. Not request PHI use or disclosure that would violate HIPAA if done by the Covered Entity.

5.5 De-Identification Responsibility. The Covered Entity bears sole responsibility for ensuring PHI in uploaded presentations has been appropriately de-identified per 45 C.F.R. § 164.514(b) or that valid HIPAA authorization has been obtained. The Platform Provider does not inspect, screen, or de-identify content uploaded by the Covered Entity or its users and bears no liability for the presence of identifiable PHI in uploaded materials.

5.6 Workforce Training. Ensure all AV crew, presenters, and personnel with platform access have received role-appropriate HIPAA training and maintain training documentation.

5.7 Accurate Information. Provide accurate and complete information regarding its HIPAA compliance status, covered entity status, and any restrictions or authorizations. The Client represents and warrants that it has the authority to upload any content to the platform and to authorize the Platform Provider’s processing of such content as contemplated by this Agreement.

6.1 Scope of PHI Exposure. The Parties acknowledge unique HIPAA risks in AV production of medical events, including: patient data in slides displayed on screens, projectors, or IMAG; files synchronized to Desktop Sync Clients; AV crew line-of-sight access to PHI on monitors; session recordings or captures; and platform chat messages referencing PHI.

6.2 AV Crew Obligations. All AV personnel with access to PHI during HIPAA Compliance Mode events shall: sign HIPAA confidentiality acknowledgments; refrain from capturing any PHI without written Covered Entity authorization; refrain from disclosing PHI to unauthorized persons; immediately report suspected unauthorized disclosures; and return or destroy PHI upon assignment completion.

6.3 Presenter Obligations. Presenters uploading PHI to the platform acknowledge: responsibility for de-identification or valid HIPAA authorization; the requirement to use HIPAA Compliance Mode for events containing identifiable PHI; compliance with file review processes; and that all uploads, downloads, and access events are logged with timestamps, identity, and IP address.

6.4 Physical Controls. For HIPAA Compliance Mode events, the Covered Entity shall implement reasonable physical safeguards: restricted room access; screen positioning to minimize unauthorized viewing; restrictions on personal recording devices; and visible signage indicating confidential content and recording prohibition.

6.5 Streaming & Recording. Sessions containing identifiable PHI shall not be streamed, webcast, or recorded unless all PHI is de-identified via Safe Harbor, valid authorization is obtained, or recording is solely for internal quality assurance secured per the HIPAA Security Rule.

6.6 Incidental Disclosure Safe Harbor. Certain disclosures during live production may constitute incidental disclosures under 45 C.F.R. § 164.502(a)(1)(iii) and are not HIPAA violations if reasonable safeguards were implemented.

7.1 HIPAA Compliance Mode. When enabled, the following controls are enforced: mandatory file review queue; all file access/downloads logged with identity, timestamp, and IP; remote Desktop Sync Client wipe capability; pre-destruction ZIP download with audit trail; and event-level data destruction with auditable destruction certificate.

7.2 Remote Wipe. Remote wipe commands are cryptographically authenticated; the Desktop Sync Client permanently deletes all synchronized content and confirms destruction; offline clients execute the wipe upon next connection before any new sync occurs.

7.3 Audit Logging. Comprehensive logs include: file uploads (name, size, hash); review actions; downloads; deletions; ZIP archive downloads; remote wipe commands; login/logout; HIPAA Mode settings changes; and API access to PHI. Each entry includes user ID, full name, IP address, and UTC timestamp.

7.4 Log Retention. Audit logs retained minimum six (6) years per 45 C.F.R. § 164.530(j), in separate access-controlled storage exempt from routine destruction.

7.5 Pre-Destruction Download. Before event-level destruction, the platform offers ZIP download of all approved files. Downloads are logged with: administrator identity, IP, UTC timestamp, file manifest, and SHA-256 archive hash. The Covered Entity bears sole responsibility for secure storage of downloaded archives.

7.6 Destruction Certificate. Upon completion, the platform generates a certificate containing: event ID and name; file list; destruction timestamp; remote wipe confirmation status; initiator identity; and unique certificate ID.

8.1 Data Isolation. Isolated PostgreSQL database instances per tenant. No cross-tenant data access.

8.2 Encryption. AES-256-GCM at rest; TLS 1.2+ in transit; encryption keys managed separately from encrypted data.

8.3 Access Controls. Bcrypt-hashed credentials (12 rounds); JWT session management; role-based access; comprehensive audit logging.

8.4 File Review. When enabled, all uploaded files undergo review and approval before availability. Pending files accessible only to designated reviewers.

8.5 Infrastructure. Hosted on DigitalOcean with S3-compatible object storage. Infrastructure providers maintain appropriate security certifications.

8.6 Incident Response. Documented plan covering: identification and containment; eradication and recovery; post-incident analysis; and notification per Article IV.

8.7 Vulnerability Management. Timely security patches; dependency updates; rate limiting; security headers; production hardening on all services.

9.1 Platform “AS IS.” EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE BREAKOUT CONNECT PLATFORM AND ALL SERVICES ARE PROVIDED “AS IS” AND “AS AVAILABLE,” WITHOUT WARRANTY OF ANY KIND, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. BREAKOUT CONNECT SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.

9.2 Content Disclaimer. BREAKOUT CONNECT DOES NOT INSPECT, REVIEW, VERIFY, SCREEN, DE-IDENTIFY, OR ENDORSE ANY CONTENT UPLOADED TO THE PLATFORM. THE CLIENT IS SOLELY RESPONSIBLE FOR THE LEGALITY, ACCURACY, COMPLETENESS, AND HIPAA COMPLIANCE OF ALL CONTENT. BREAKOUT CONNECT SHALL HAVE NO LIABILITY FOR ANY PHI IN CLIENT-UPLOADED CONTENT.

9.3 Third-Party Services. Breakout Connect makes no warranty regarding any third-party services or infrastructure providers. Any disruption caused by a third-party provider shall not constitute a breach by Breakout Connect, provided appropriate Subcontractor agreements and reasonable diligence were maintained.

9.4 Regulatory Compliance. Breakout Connect does not guarantee, warrant, or certify the Client’s compliance with HIPAA, HITECH, or any other law. The Client is solely responsible for its own compliance program.

10.1 Exclusion of Consequential Damages. TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, OR EXEMPLARY DAMAGES, INCLUDING LOSS OF PROFITS, REVENUE, BUSINESS, GOODWILL, DATA, OR COST OF SUBSTITUTE SERVICES, HOWEVER CAUSED, EVEN IF ADVISED OF THE POSSIBILITY.

10.2 Aggregate Liability Cap. BREAKOUT CONNECT’S TOTAL AGGREGATE LIABILITY SHALL NOT EXCEED THE LESSER OF: (A) TWELVE (12) MONTHS OF FEES PAID; OR (B) ONE HUNDRED THOUSAND DOLLARS ($100,000 USD).

10.3 Carve-Outs. Sections 10.1 and 10.2 shall not apply to: (a) indemnification from gross negligence or willful misconduct; (b) breach of confidentiality; (c) fraud or intentional misrepresentation; or (d) liability that cannot be limited by law. For carve-outs, the Super Cap is three (3) times the Section 10.2 cap.

10.4 Client Liability. The Client is solely liable for claims arising from: (a) failure to de-identify PHI; (b) missing HIPAA authorizations; (c) workforce training failures; (d) platform misuse; or (e) third-party claims from client-uploaded content.

10.5 Acknowledgment. These limitations reflect a reasonable risk allocation fundamental to the basis of the bargain.

11.1 Indemnification by Client. The Client shall indemnify, defend, and hold harmless all BC Indemnified Parties (Breakout Connect, Inspired Technical Management LLC, their subsidiaries, affiliates, officers, directors, members, managers, employees, agents, successors, and assigns) from claims arising from: (a) Client breach; (b) Client HIPAA violations; (c) PHI in client-uploaded content; (d) failure to de-identify or obtain authorizations; (e) workforce training failures; (f) platform misuse; or (g) Individual claims from Client’s PHI use.

11.2 Indemnification by Breakout Connect. Breakout Connect shall indemnify the Client from third-party claims arising directly from: (a) Breakout Connect’s material breach of Article III; or (b) gross negligence or willful misconduct in handling PHI—excluding claims arising from the Client’s own acts, content, or breach.

11.3 Procedures. Prompt notice; sole defense control to indemnifying Party (no settlement admitting liability without consent); reasonable cooperation at indemnifying Party’s expense.

12.1 Term. Effective as of the Effective Date; continues for the duration of the Underlying Agreement.

12.2 Termination for Cause. Either Party may terminate upon thirty (30) days’ written notice of material breach. Immediate termination if cure is infeasible.

12.3 Termination for Convenience. Either Party may terminate upon ninety (90) days’ written notice.

12.4 Automatic Termination. Terminates upon expiration of the Underlying Agreement.

12.5 Effect of Termination. (a) Return or destroy PHI within 30 days with written certification; (b) Client has 15 business days to download data; (c) remote wipe of all Desktop Sync Clients; (d) if destruction infeasible, protections continue.

12.6 Suspension. Breakout Connect may immediately suspend access, without liability, if Client use poses imminent risk to PHI, the platform, or other clients’ data.

12.7 Survival. Articles IV, VII (7.4, 7.6), VIII, IX, X, XI, XIII, XIV, XV, XVI, XVII, and XVIII survive termination.

13.1 FIPA. Both Parties comply with Fla. Stat. § 501.171. More stringent standard applies.

13.2 FDUTPA. Failure to protect PHI may violate Fla. Stat. §§ 501.201–501.213.

13.3 Governing Law. Florida law; exclusive jurisdiction in Seminole County, Florida courts.

13.4 Attorney’s Fees. Prevailing party recovers reasonable fees and costs.

13.5 Jury Waiver. EACH PARTY WAIVES ANY RIGHT TO A JURY TRIAL.

14.1 Definition. Neither Party liable for delays caused by events beyond reasonable control: natural disasters (including hurricanes), pandemics, terrorism, government actions, cyberattacks despite reasonable security, third-party infrastructure failures, or power outages.

14.2 Notice. Written notice within five (5) business days.

14.3 Mitigation. Commercially reasonable efforts to resume performance.

14.4 Extended Suspension. If 60+ consecutive days, either Party may terminate with 30 days’ notice.

14.5 PHI Obligations. Security and confidentiality obligations continue during Force Majeure to the maximum extent feasible.

15.1 Client Restriction. Client may not assign without Breakout Connect’s prior written consent (sole discretion). Purported assignments are null and void.

15.2 BC Assignment. Breakout Connect may freely assign to affiliates, parents, subsidiaries, successors, or asset purchasers without Client consent.

15.3 Change of Control. Client must notify BC within 30 days of any change of control. BC may terminate upon 60 days’ notice if material PHI risk.

16.1 Platform IP. Breakout Connect retains all platform intellectual property. No license granted except limited use rights under the Underlying Agreement.

16.2 Client Data. Client retains ownership. Client grants BC a limited license to process data solely for platform services.

16.3 Aggregate Data. BC may use de-identified, aggregate data for platform improvement, provided it cannot identify any Individual, Client, or event.

16.4 Feedback. Client feedback becomes BC’s property without compensation or attribution obligation.

17.1 Independent Contractor. No partnership, joint venture, employment, franchise, or agency relationship created.

17.2 No Agency. Neither Party’s knowledge is imputed to the other. Breach discovery obligations are independent.

17.3 Insurance. Business Associate shall maintain: $1M CGL; $1M professional/cyber liability; workers’ comp per Florida law. Certificates upon request.

17.4 Audit Rights. Once per year, 30 days’ notice, at requesting Party’s expense. SOC 2 reports may substitute for on-site inspection at BA’s sole discretion.

17.5 Compliance Cooperation. Good-faith cooperation on Individual rights requests, regulatory investigations, and compliance documentation.

17.6 Non-Solicitation. Client shall not solicit BC employees/contractors for 12 months post-term.

17.7 Publicity. No press releases without consent. BC may identify Client as customer in non-public materials.

17.8 Platform Modifications. BC may modify the platform at any time provided security capabilities are not materially diminished.

17.9 Acceptable Use. No unauthorized access, reverse engineering, illegal content, usage limit violations, or disproportionate infrastructure load.

18.1 Consent. Each Party consents to electronic transaction per E-SIGN Act and Florida ESA (Fla. Stat. § 668.50).

18.2 Authentication. Typed legal name; typed initials per Article; IP address; UTC timestamp; session ID; SHA-256 hash.

18.3 Audit Trail. Complete execution audit trail retained for Agreement term plus six (6) years.

18.4 Document Integrity. SHA-256 hash protects against tampering. Post-execution modification requires re-execution.

18.5 Record Retention. Access, download, and print during term plus six (6) years.

18.6 Right to Paper Copy. Available at no charge per E-SIGN Act.

19.1 Regulatory References. As in effect or as amended.

19.2 Amendment. Written instrument signed by both Parties only.

19.4 Severability. Invalid provisions severed; remainder continues.

19.5 Entire Agreement. Supersedes all prior negotiations and representations.

19.6 Notices. BreakoutConnect LLC, PO Box 345, Sanford, FL 32772, Attn: Legal Department, copy to legal@breakoutconnect.com.

19.7 Waiver. Written waivers only.

19.8 Dispute Resolution. 30-day negotiation → mediation in Seminole County → litigation. Injunctive relief available without prior negotiation/mediation.

19.9 Counterparts. Electronic signatures deemed originals per Article XVIII.

19.10 Interpretation. HIPAA prevails if conflicting. Florida law where more protective.

19.11 Construction. Not construed against drafter. Headings for convenience only.

19.12 Cumulative Remedies. All remedies cumulative.

IN WITNESS WHEREOF, the Parties have executed this Business Associate Agreement electronically, manifesting their intent to be bound. Each signature is captured with IP address, UTC timestamp, and session identifier per the E-SIGN Act and Florida Electronic Signature Act.